Wildcards

Use the asterisk wildcard ( * ) character to match an unrestricted number of characters in a string. If you specify an asterisk with no other criteria, you are asking to match everything. All events are retrieved up to the maximum limit. Searching for * as part of a string, generates matches based on that string. For example:

my* matches myhost1, myhost.ny.mydomain.com, myeventtype, and so on.

*host matches myhost, yourhost, and so on.

*host* matches host1, myhost3, yourhost27.yourdomain.com, and so on.

The more specific your search terms are to the events that you want to retrieve, the better chance you have of matching the terms. For example, searching for access denied is always better than searching for denied. If 90% of your events have the word error but only 5% have the word sshd, and the events that you want to find require both of these words, include sshd in the search to make it more efficient.

When to avoid wildcard characters

There are several situations in which you should avoid using wildcard characters.

Avoid using wildcards in the middle of a string

Wildcard characters in the middle of a word or string might cause inconsistent results. This is especially true if the string contains punctuation, such as an underscore _ or dash - character.

You want to match every uri_path that starts with /cart. The problem is that the paths contain a forward slash ( / ) character and period ( . ) character. Instead of specifying a wildcard character for the punctuation such as /cart*, specify the punctuation directly in your search criteria. For example, specify /cart.do OR /cart/error.do OR /cart/success.do.

Prefix wildcards might cause performance issues

When you use a wildcard character at the beginning of a string, performance degradation might occur.

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »